Commit 7abbe4e
committed
TASK-059: sha256-pin PMD analyzer download in CI
Add integrity verification for the pmd-dist-7.24.0-bin.zip artifact
downloaded by the lint lane of verify-build.yml. Introduces a pinned
PMD_SHA256 alongside the existing PMD_VERSION and pipes the pair into
`sha256sum -c -` immediately after the curl invocation, so a tampered
or substituted zip aborts the step before unzip/install.
A rotation-procedure comment block is added above the run: scalar so
future PRs that bump PMD_VERSION are reminded to update PMD_SHA256
in the same change. No TODO comment existed on this step to remove.
Local falsification rehearsal (Step A of the plan):
- Wrong digest (all zeros) on real zip: sha256sum -c - -> FAILED, exit=1
- Tampered zip (one byte flipped at offset 1000) against the
real digest: sha256sum -c - -> FAILED, exit=1
- Pristine zip against real digest: -> OK, exit=0
Real digest sourced by `shasum -a 256` of a freshly downloaded
pmd-dist-7.24.0-bin.zip from the GitHub release page (the upstream
.sha256 companion file is not published for this release; the
download-and-hash fallback documented in the plan was used).
Out of scope: the unrelated IWYU clang_18-branch TODO (~line 467)
and the libcurl-tarball SHA-256 TODO (~line 502) in the same file
are deliberately left untouched per the plan.1 parent 36416af commit 7abbe4e
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
440 | 440 | | |
441 | 441 | | |
442 | 442 | | |
| 443 | + | |
| 444 | + | |
| 445 | + | |
| 446 | + | |
| 447 | + | |
| 448 | + | |
443 | 449 | | |
444 | 450 | | |
| 451 | + | |
445 | 452 | | |
446 | 453 | | |
| 454 | + | |
447 | 455 | | |
448 | 456 | | |
449 | 457 | | |
| |||
0 commit comments